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Abstract. We propose four different identification schemes that make use of bilinear pairings, and 
prove their security under certain computational assumptions. Each of the schemes is more efficient 
and/or more secure than any known pairing-based identification scheme. 
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Qh 1 1. Introduction 

An identification scheme is a protocol whereby Peggy the Prover proves to Victor the Verifier 
• that she is indeed who she says she is. In practice, Peggy's identity is encoded in a private key a 

and a public key y. The protocol takes the form of Peggy proving to Victor that she has knowledge 
of the private key a. For example, the private key might be a and the public key y = x a (mod p), 
■ where a and x are integers and p is a prime number, and Peggy proves her identity by demonstrating 

that she knows the discrete logarithm of y to the base x. Now, Peggy could simply tell Victor a, 
and Victor could verify that a is the correct private key, but then Victor could impersonate Peggy 
to a third party. A viable identification scheme must prevent this from happening; we require that 
Victor can't impersonate Peggy even if she proves her identity to him polynomially many times. 
Because of this property, an identification scheme is also called a zero-knowledge proof of identity. 

Feige, Fiat, and Shamir [Jj introduced the first identification scheme in 1988, based on the 
difficulty of inverting RSA. Soon thereafter, Guillou and Quisquater [2] and Schnorr ^1 introduced 
their own identification schemes, based on RSA and discrete logarithms respectively. These two 
schemes are still amongst the most efficient and well-studied identification schemes, though their 
security has never been reduced to a standard computational problem such as factoring or discrete 
Q . logarithms. 

Identification schemes are closely related to signature schemes. For example, one way for Peggy 
to prove her identity to Victor is for him to ask her to digitally sign a message of his choice; if the 
signature is hard to forge, then a valid signature will constitute an acceptable proof of identity. 
On the other hand, many of the standard identification schemes can be converted to a signature 
scheme by replacing Victor with a one-way hash function. 

Recent years have brought a host of signature schemes that make use of bilinear pairings. The 
first of these was the short signature scheme of Boneh, Lynn, and Shacham in 2001 [H]. This 
was quickly followed by a spate of pairing-based schemes designed for various applications: group 
signatures, ring signatures, aggregate signatures, multisignatures, threshold signatures, and more. 
Given this plethora of pairing protocols and the close relationship between identification schemes 
and signatures, it is natural to ask whether there might be a pairing-based identification scheme 
that has some advantage over the GQ or Schnorr schemes. The first step in this direction was 
taken by Kim and Kim in 2002 Their scheme was later shown to be flawed; others have since 
proposed pairing-based identification schemes ^U] , ^B] > HH > but none has given a convincing proof 
of security with a tight reduction. 

In this paper, we present four new identification schemes based on pairings, and prove their secu- 
rity given certain computational assumptions. We begin in Section |2] by giving a formal definition 
of security for identification schemes, reviewing some standard computational assumptions, and 
describing the bilinear pairings useful for cryptography. In Section |H1 we describe a basic scheme 
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based on the Boneh-Lynn-Shacham signatures and prove its security in the random oracle model 
under the Computational Diffie-Hellman assumption. Since the random oracle model is somewhat 
unsatisfactory for proving security of identification schemes, in Section |I] we modify the scheme so 
that it does not require the use of hash functions. To prove security of this new scheme we intro- 
duce a new assumption, called the "one-more-Computational Diffie-Hellman" assumption, which is 
related to several existing assumptions in the literature. 

In Section |S] we take another tack, adapting a signature scheme that does not make use of 
random oracles for its proof of security. The proof of security of this scheme relies of the "Strong 
Diffie-Hellman assumption," an analogue of the "Strong RSA assumption" used to prove security 
of RSA signatures. Finally, in Section El we introduce a scheme whose proof of security relies on the 
assumption that the pairing used is a one-way function. We show that this assumption is weaker 
than any other made in this paper, and thus this scheme is the most secure of our new schemes. 

Having presented our four new schemes and proved their security, in Section we describe 
two other pairing-based identification schemes in the literature, and in Section El we examine the 
bandwidth and computational requirements of all six schemes. We conclude that each of our four 
protocols is the preferred identification scheme in some context, for either efficiency or security 
reasons. 

1.1. Acknowledgments. Research for this paper was conducted during a summer internship at 
HP Labs, Palo Alto. I thank Vinay Deolalikar for suggesting this problem and for providing advice 
and support along the way. I also thank Gadiel Seroussi for bringing me to HP and for supporting 
my research. 

2. Preliminaries 

2.1. Identification schemes. Formally, an identification scheme consists of a key-generation al- 
gorithm Q that creates a valid set of keys a (Peggy's private key) and p a (Peggy's public key), and 
an interactive protocol (V, V) that takes as input the public and private keys, and outputs 1 (ac- 
cept) or (reject). We require that if both users follow the protocol and use a valid public/private 
key pair, the protocol always outputs 1 (accepts). We also require that any cheating prover A that 
does not know Peggy's private key cannot interact with an honest verifier V and give output 1; 
this is a "passive attack." Furthermore, we require that a cheating verifier B cannot interact with 
Peggy, pass what he learns on to the cheating prover A., and have A interact with an honest verifier 
V and output 1; this is an "active attack." We note that a passive attack is a special case of an 
active attack, in which B outputs nothing. This leads us to the following definition: 

Definition 2.1 (cf. [SJ Definition 4.7.8]). A (t, q, e)-identification schemeis a triple (G,V,V), where 
Q is a probabilistic polynomial-time algorithm and (V, V) is a pair of probabilistic interactive 
machines running in time at most t, satisfying the following conditions: 

• Viability: For any a G {0, l} n , let G{a) = (a a ,p a ). Then 

Pr[(P(a a ,p a ),V( Pa )) = l} = l. 

• Security: For any a G {0, l} n , let G{a) = (a a ,p a ). For any probabilistic interactive machine 
B running in time at most t, let T a be a random variable describing the output of B(p a ) 
after interacting with V(a a ,p a ) q times. Then for any probabilistic interactive machine A 
running in time at most t, 

Px[(A{p a ,T a ),V{p a )) =1]<€. 

Note that the security condition implies that a third party, Malice, cannot impersonate Peggy to 
Victor, provided that Malice cannot interact concurrently with Peggy and Victor. Indeed, if Malice 
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can interact concurrently with both, she may impersonate Peggy by referring Victor's queries to 
Peggy and relaying the response back to Victor. 



2.2. Computational assumptions. All of public-key cryptography relies on certain computa- 
tional assumptions for its security; e.g. that factoring is difficult. The assumptions relevant to our 
identification schemes are of the Diffie-Hellman type, named after the two creators of public-key 
cryptography. The original Diffie-Hellman problem is known as the Computational Diffie-Hellman 
(CDH) problem. 

Definition 2.2. Let G be a cyclic group of order n, let g G G, and let a, b G Z n . The Computational 
Diffie-Hellman problem in G is as follows: Given {g,g a ,g b }, compute g ab . 

The (t, e)- Computational Diffie-Hellman assumption holds in G if there is no algorithm A : G 3 — > 
G running in time at most t such that 



Pr 



A(g,g a ,g b )=g ab 



where the probability is taken over all possible choices of (g,a,b). 

It is possible that given a triple (g,g a ,g b ), it is hard to compute g ab but easy to compute some 
partial information about g ab , such as its least significant bit. To ensure that no such partial 
information can be gained, we must make an even stronger assumption, known as the Decision 
Diffie-Hellman (DDH) assumption. 

Definition 2.3. Let G be a cyclic group of order n, let g G G, and let a,b,c G Z n . The Decision 
Diffie-Hellman problem in G is as follows: Given {g,g a ,g b ,g c }, determine whether g ab = g c . 

The (t, e)-Decision Diffie-Hellman assumption holds in G if there is no algorithm A : G 4 -> {0, 1} 
running in time at most t such that 



Pr 



A(g,g a ,g b ,g ab ) = l - Pr A(g,g a ,g b , g c ) = 1 



where the probabilities are taken over all possible choices of (g, a, b, c) 



2.3. Bilinear maps and pairings. Joux and Nguyen ^2] showed that an efficiently computable 
bilinear map on G gives an algorithm for solving the Decision Diffie-Hellman problem on G. Boneh, 
Lynn, and Shacham [|| make use of this property in their signature algorithm by using the pairing 
to verify that the signature creates a valid Diffie-Hellman tuple. Our identification schemes will 
use pairings in their verification procedures in a similar manner. 

The following definition gives the conditions necessary for a bilinear map to be useful for crypto- 
graphic purposes. To simplify our exposition, we will consider only the case where both arguments 
of the pairing are in the same group; for the more general case, see jB]. 

Definition 2.4. Let Gi and G2 be cyclic groups of prime order p. A map e: Gi x Gi — > G2 is a 
cryptographic pairing if the following conditions hold: 

• Bilinearity: for all x,y G Gi and a, b G Z, e(x a ,y b ) = e(x,y) ab . 

• N on- degeneracy: if g is a generator of Gi, then e(g,g) is a generator of G2. 

Remark 2.5. A cryptographic pairing e can be used to solve the DDH problem on Gi as follows: 
given {g, g a ,g b ,g c }, where g is a generator of Gi and a, b, c are integers, compute h\ = e(g, g c ) and 
/12 = e(g a ,g b ). Then hi = /12 in G2 if and only if c = ab (mod p). If the CDH problem in Gi is 
hard and the DDH problem is easy (e.g. if there is a cryptographic pairing on Gi), Gi is known as 
a Gap Diffie-Hellman group. The Gap Diffie-Hellman problem is to solve the CDH problem given 
an oracle for the DDH problem. 
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The only known examples of cryptographic pairings are derived from the Weil and Tate pairings 
on elliptic curves over finite fields. The study of these groups is deep and beautiful and is of great 
interest to current researchers. However, in describing our protocols we will not take into account 
the structure of the groups involved in the pairing; rather, we will make certain computational 
assumptions about the group and use the pairing as a "black box." For further information on 
elliptic curves, see jH] or [I]. 

3. Identification scheme based on BLS signatures 

A particularly simple method of building identification schemes is to use a digital signature 
algorithm. Victor the Verifier sends a random message to Peggy the Prover, Peggy signs the 
message with her secret key, and Victor verifies that the signature is correct. If the signature 
scheme is secure against forgery, the cheating prover has a negligible chance of creating a valid 
signature on a random message given him by an honest verifier, no matter how many signatures he 
has obtained from the honest prover. 

Boneh, Lynn, and Shacham [H] were the first to devise a digital signature scheme based on 
pairings. The algorithm provides for signatures of half the length of a DSS signature with an 
equivalent level of security, and as such it makes for a particularly efficient identification scheme 
in terms of bandwidth. A full description of the BLS signature scheme, along with a definition 
of security for signature schemes and the security theorem for the BLS scheme, can be found in 
Appendix EI 

We now show how the BLS signature scheme can be adapted nearly verbatim to serve an an 
identification scheme. We describe the scheme as an interactive protocol between Peggy the prover 
and Victor the verifier. 

Protocol 3.1. Let Gi, G2 be cyclic groups of prime order p, and let e: Gi x Gi — > G2 be a 
cryptographic pairing. Let g be a generator of Gi. Let H : {0, 1}* — > Gi be a full-domain hash 
function. 

Key generation: Pick random x <— Z p , and compute v <— g x . The public key is v, and 

Peggy's secret key is x. Let n be a positive integer. 
Interactive protocol: 

(1) Victor sends Peggy a random M £ {0, l} n . 

(2) Peggy computes h = H(M) and sends Victor a = h x . 

(3) Victor computes e(g, a) and e(v, h). If the two are equal he outputs 1 (accept); else he 
outputs (reject). 

Since our signature makes use of a hash function and the proof of security is in the random oracle 
model, we must add another parameter to our description of security of identification schemes. We 
say that a scheme using a hash function is a (t, q, r, e)-identification scheme if the conditions of 
Definition 12.11 hold, with the additional requirement that (A,B) make no more than r queries to 
the hash function. 

Theorem 3.2. Suppose the (t',e f ) Computational Diffie-Hellman assumption holds in G±. Then 
Protocol 1 8. 1\ defines a (t, qs, qH, e) -identification scheme for all t and e satisfying 

e > 2 & ^ S _ + l) ■ e and t < t> - c(q H + 2q s ), 
z q 

where c is a constant that depends on Gi, and e is the base of the natural logarithm. 

Proof (sketch). If Peggy and Victor follow the protocol, then Protocol 13. II satisfies the viability 
condition of Definition 12.11 since 

e(g, a) = e(g, h x ) = e(g, h) x = e(g x , h) = e(v, h) 

4 



by bilinearity of e. The security follows from the security of the BLS scheme: a successful cheating 
prover A will send an element a in step (2) that is accepted by the honest verifier. This a is, with 
high probability, a valid BLS signature for a previously unseen message M. The security of the 
BLS scheme against existential forgery under chosen-message attack thus implies the security of 
Protocol 13.11 The exact bounds for the running time and success probability follow from the proof 
of security of the BLS scheme (Theorem IA.3|) . For details, see Appendix [B] □ 

4. Identification schemes based on the one-more-CDH assumption 

Protocol s. 11 an identification scheme derived directly from the BLS signature scheme, is unsatis- 
factory in several ways. While the communication overhead is minimal (one element of Gi and one 
random string which needs only to be large enough to avoid hash collisions), the prover and verifier 
must both compute the hash of the parameter M, which adds computational time. In addition, 
the proof of security is in the random oracle model, which requires us to introduce another security 
parameter and to assume that the hash function H acts as a random function. Recent attacks on 
SHA-1 and other hash functions have called into question the credibility of such an assumption, so 
we would ideally like our identification schemes to be hash-free. 

Our first attempt at constructing a pairing-based identification scheme that does not use hash 
functions is simply to recreate the scheme based on BLS signatures, but do away with the hash 
function. 

Protocol 4.1. Let Gi, G2 be cyclic groups of prime order p, and let e: Gi x Gi — > G2 be a 
cryptographic pairing. Let g be a generator of Gi. 

Key generation: Pick random x <— Z p , and compute v <— g x . The public key is v, and 

Peggy's secret key is x. 
Interactive protocol: 

(1) Victor sends Peggy a random challenge /1GG1. 

(2) Peggy computes sends Victor a = h x . 

(3) Victor computes e(g, a) and e(v, h). If the two are equal he outputs 1 (accept); else he 
outputs (reject). 

We can think of Protocol 14.11 as Protocol 13.11 where instead of sending a random message M 
in step (1), Victor sends the hash h of the message M; if the hash is random, then h is just a 
random element of Gi. With this modification, the reduction of the scheme to the Computational 
Diffie-Hellman assumption in Gi breaks down, as that reduction requires that Peggy can't compute 
M from h. The security of this scheme thus requires a different assumption. 

To determine what kind of security assumption we need to make, we examine the behavior of 
an attacker. The cheating verifier A interacts with the honest prover V by sending q queries of her 
choice hi, . . . , h q and receiving the 'signature' of each message, hf,...,h x . The cheating prover B 
must then take a random query h and return h x . (Note that by the bilinearity of the pairing e, h x 
is the only element that B can send in step (2) that will cause an honest verifier to accept.) If q = 0, 
then this is the Computational Diffie-Hellman problem: compute h x from {g,g x ,h}. If q > 0, we 
are asking for the solution to a CDH problem given the solution to q related CDH problems. We 
formalize this notion in the following definition. 

Definition 4.2. Let G be a finite cyclic group. Let A be a randomized algorithm that takes 
input g,g a £ G and has access to two oracles. The first is a CDH oracle CDH g ^ g a{-), which on 
input h 6 G returns h a £ G. The second is a challenge oracle C() that, when invoked, returns 
a random challenge point r 6 G. Furthermore, we require that A cannot invoke its CDH oracle 
after it has invoked the challenge oracle. We say that algorithm A has advantage e in solving the 
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one-more- CDH problem in G if 

Pr[A(g,g a ,r^CQ) = r a }>e, 

where the probability is taken over the choices g and g a input to A and the r output from C(). 

We say the (t, q, e)- one-more- CDH assumption holds in G if there is no algorithm A that runs in 
time at most t, makes at most q queries to its CDH oracle, and has advantage at least e in solving 
the one-more-CDH problem in G. 

Definition 14. 2| while it has not appeared previously in the literature, is closely related to the 
"one-more-RSA-inversion" and "one-more-discrete-logarithm" problems defined by Bellare, et al. 

. Bellare and Palacio [2j use these assumptions to prove the security of the well-known Guillou- 
Quisquater and Schnorr identification schemes, so it seems eminently reasonable that we should 
have to use a similar assumption in proving the security of our scheme. 

We now prove the security of Protocol 14. II based on the one-more-CDH assumption. 

Theorem 4.3. Suppose the (t, q,e)-one-more-CDH assumption holds in G. Then Protocol ^ . 1\ is a 
(t — 0(1), q, e) -identification scheme. 

Proof. Let (g,g x ) be the public parameters for Protocol 14.11 Suppose (A,B) is an attack that 
(t, q, e)-breaks Protocol 14.11 in the sense of Definition 12.11 Define an algorithm C that attempts to 
solve the one-more-CDH problem in Gi, as follows: 

(1) For each challenge hi that the cheating verifier B sends to the honest prover V in step (1) 
of the protocol, query the CDH oracle with hi. Run B on the set of outputs {hf }. 

(2) Simulate the honest verifier V by querying the challenge oracle C(). Send the output r as 
input to the cheating prover A. 

(3) Output t, the element of Gi sent by the cheating prover A in step (2) of the protocol. 

If (A,B) successfully breaks the identification scheme, then the element t satisfies e(g,t) = e(g a ,r), 
and thus by the bilinearity of the pairing, t = r a . The probability of success of C is thus at least e. 
Furthermore, C makes at most q queries to the CDH oracle and runs in time t + 0(1). □ 

5. Identification scheme based on the Strong Diffie-Hellman assumption 

Protocol s. H is very efficient, requiring an exchange of two elements of Gi, one exponentiation for 
the prover, and two pairing computations for the verifier. The one-more-CDH assumption required 
to prove the scheme's security seems reasonable, especially given that similar assumptions are used 
in the security proofs of two well-known identification schemes 0. However, the fact that the 
one-more-CDH assumption has not previously appeared in the literature may give one pause, as it 
is generally not advisable to introduce new assumptions about computational difficulty. Thus we 
would like to find an identification scheme that is as efficient as Protocol 14. II but requires a weaker 
security assumption, or at least one that is more widely believed to hold for the groups used in 
implementations. 

The difficulty in adapting the BLS signature scheme into an identification scheme resulted from 
the random oracle nature of the security proof. Thus we may have more success if we try to adapt 
a signature scheme that does not require random oracles for its security. Boneh and Boyen P£ have 
devised such a scheme; a full description of the scheme and the theorem describing its security can 
be found in Appendix EJ The security rests on an assumption known as the Strong Diffie-Hellman 
assumption. 

Definition 5.1 (0 §3.2]). Let G be a cyclic group of prime order p, and let g be a generator. The q- 
Strong Diffie-Hellman problem in G is defined as follows: given a (q-\- 1) -tuple (g, g x ,g^ x \ . . . , g^ x<1 ^) 
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as input, output a pair (c, g 1 ^ x+c ^), where c £ Z p . An algorithm „4 has advantage e in solving the 
(/-SDH problem in G if 



Pr 



A(g,g x ,g^\...,g^) = (c,g^ 



where the probability is over the choice of g £ G and i£Z*. 

We say that the (t, q, e) -Strong Diffie-Hellman assumption holds in G if there is no algorithm A 
that runs in time t and has advantage e in solving the g-SDH problem in G. 

In our protocol based on the Boneh-Boyen scheme, Victor the Verifier sends a random challenge 
message to Peggy the Prover, which Peggy then signs with her private key. 

Protocol 5.2. Let Gi, G2 be cyclic groups of prime order p, and let e: Gi x Gi — > G2 be a 
cryptographic pairing. Let g be a generator of Gi. 

Key generation: Pick random x,y <— Z* and compute u <— g x , v <— g y , and z <— e(g,g). 

The public key is (u, v, z), and Peggy's secret key is (x,y). 
Interactive protocol: 

(1) Victor sends Peggy a random m £ Z*. 

(2) Peggy chooses a random r 6 Z*, computes cr = gl/fc+TO+f") 5 and sends Victor (a, r). 

(3) Victor computes e(a,u ■ g m ■ v r ). If the result is equal to z he outputs 1 (accept); else 
he outputs (reject). 

Theorem 5.3. Suppose the {q' ,t' ,e')-SDH assumption holds in G±. Then Protocol \5.£\ defines a 
(t,q,e) -identification scheme, provided that 

q<q', e>2e'- ( + ~ 2e' and t < t' - Q(q' 2 T), 
\p-qj p-q 

where T is the maximum time for an exponentiation in G\ . 

Proof. We first check the viability condition. If Peggy and Victor both follow the protocol, then 
Victor will always accept, since 

e(a, u-g m -v r ) = e^l^^) ,g x -g m - g y r ) = e(g, g) = z 

by bilinearity of e. To check the soundness condition, given an attacker (.A, B) that (t, q, e)-breaks 
the scheme (in the sense of Definition l2.1j) . we can define an attacker C that (t + 0(1), q, e')-breaks 
the Boneh-Boyen signature scheme, where e' = e(l — q/p). The reduction is identical to that in the 
proof of Theorem 13.21 and we choose not to repeat the details. □ 



6. Identification scheme based on pairing as a one-way function 

The identification scheme of Protocol l5.2l is less efficient than that of Protocol l4.11 requiring both 
more bandwidth and more computation. However, the assumption required to prove security is 
weaker for the former, implying a tradeoff between efficiency and security. One may ask how far we 
can carry this tradeoff: what is the weakest possible assumption necessary for a secure identification 
scheme? We now propose a scheme whose proof of security rests solely on the assumption that 
the pairing e: Gi x Gi — ► G2 is a one-way function when one argument is fixed. This assumption 
is weaker than both Computational Diffie-Hellman in Gi and Decision Diffie-Hellman in G2, both 
of which are standard assumptions that have been used to prove the security of a wide variety of 
cryptosystems. 

When we say than a pairing is a one-way function, we mean that given g G Gi and y £ G2, it is 
hard to invert the pairing; that is, to find an element h £ G\ such that e(g, h) = y. 
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Definition 6.1. Let e: Gi x Gi — > G2 be a cryptographic pairing. We say that e is a (t, e)-one-way 
pairing if for any algorithm A that takes as input g G Gi and 2 G G2, produces as output an 
element of Gi, and runs in time at most t, 

Pr[e(g,A(g,x)) = x] < e, 

where the probability is taken over the possible values of g and x. Given any such .4, we say that 
A inverts the pairing with probability at most e. 

To support our claim that one-wayness of pairings is a weak assumption, we note that inverting 
a pairing is no easier than solving either the Computational Diffie-Hellman problem in Gi or the 
Decision Diffie-Hellman problem in G2. Indeed, solving the equation e(g,h) = e(g a ,g b ) for h 
solves the CDH problem for (g,g a ,g b ) in Gi, and solving the equations e(g,h{) = z% for hi given 
Zi G {z, z a , z b , z c } allows us to use the pairing e to determine whether z ab = z c in G2. For precise 
statements and proofs of these facts, see Appendix 

Now that we are confident that inverting a pairing is a sufficiently hard problem, we forge onward 
and define an identification scheme based on the difficulty of inverting a pairing. 

Protocol 6.2. Let Gi, G2 be cyclic groups of prime order p, and let e: G\ x Gi — > G2 be a 
cryptographic pairing. 

Key generation: Pick random P, Q <— Gx, random y <— Gi, and random s <— Z*. Compute 

v <— e(P, Q)~ l ■ y~ s G G2. The public key is (P, y, v), and Peggy's secret key is (Q, s). 
Interactive protocol: 

(1) Peggy chooses random R <— Gi and r <— Z p , and sends Victor x = e(P, R) ■ y r G G2. 

(2) Victor sends Peggy a random m G Z*. 

(3) Peggy computes T = R ■ Q m G Gi and a = r + ms G Z p , and sends Victor (T, a). 

(4) Victor computes e(P, T)-y a -v m G G2. If the result is equal to x he outputs 1 (accept); 
else he outputs (reject). 

Remark 6.3. It is easy to see that this protocol is viable: if Peggy and Victor both follow the 
protocol, Victor will always output 1, since 

e(P,T)-y a -v e = e(P,P-g m )-/ +ms -(e(P,Q)- 1 -^ s r 

= e(P, R) ■ e(P, Q) m ■ y r+ms ■ e(P, Q)~ m ■ y~ ms 
= e(P,R)-y r 
= x. 

Showing security is a trickier matter. Our proof uses the "heavy row" technique introduced by 
Feige, Fiat, and Shamir [7j in their seminal paper on proofs of identity. The proof closely follows 
those of Okamoto's schemes |14j based on the discrete logarithm and RSA inversion. We state the 
theorem below and give a sketch of the proof; the full proof can be found in Appendix iDl 

Theorem 6.4. Suppose e: Gi x Gi — > G2 is a (t' ,e')-one-way pairing, where e' > 3/16 and 
p = |Gi| = IG2I > 17. Then Protocol \6.H\ is a (t,q,e) -identification scheme, provided that 

2 , 3(t + c s q) . 

e > - and c + — — < t' 

p e 

for some constants cq, c s depending on Gi, G2, and the pairing e. 

Proof (sketch). In Remark 16.31 we demonstrated the viability condition of Definition 12.11 so we 
need only show the security condition. We suppose there is an algorithm (A, B) that breaks Protocol 
I6.2[ an d construct an algorithm C that tries to invert the pairing. Given P G Gi and y G G2, we 
simulate Protocol 16.21 using (P, y) as the public key and our own randomly chosen private key 
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(Q*, s*). Successful execution of the algorithm (A, B) on this instance of the protocol gives a valid 
interaction between the cheating prover A and the honest verifier V. If we run the algorithm again 
and use the same random coins in the algorithm (A,B), the "heavy row" lemma tells us that we 
will, with high probability, find a second valid interaction between A and V. From the transcripts 
of these two interactions we can compute X £ Gi such that e(P, X) = y, and we have inverted the 
pairing. 

The specific description of the algorithm C is as follows: 

(1) Given input P £ Gi and y £ G%, choose random Q* 6 Gi and s* £ Z p , and compute 
v = e(P,Q*)~ l y- s . 

(2) Simulate Protocol 16.21 with (P,y,v) as the public key and (Q*,s*) as the private key. 

(3) Run (A,B) on the simulated protocol 1/e times. If the attack succeeds, record Rab (the 
random coins of (A,B)) and the transcript (x,m,T,a). 

(4) Run (A,B) on the simulated protocol 2/e times, using Rab as the random coins. If the 
attack succeeds, record the transcript (x,m' ,T' , a'). 

(5) Let Q = (T/T') 1/(m - m,) G Gi and s = (a - a')/{m - m') £ Z p . Output 

Z = {Q/Q*) l/(s *~ s) . 

If steps (3) and (4) succeed and (Q, s) / (Q*, s*), then step (5) outputs a Z such that e(P, Z) = y, 
and we have inverted the pairing. Since the probability of success of (^4, B) is e, step (3) succeeds 
with constant probability. Furthermore, if e > 2/p, then for at least half of the choices of RaBj the 
probability of success of (A, B) given the random coins Rab is a t least e/2. (This is the "heavy 
row" lemma; see Appendix [D] for details.) Thus step (4) succeeds with constant probability at 
least half of the time. Finally, the pairs (Q,s) and (Q*,s*) cannot be distinguished even by an 
infinitely powerful cheating algorithm, so the probability that (Q,s) ^ (Q*,s*) is nearly 1. When 
we calculate these probabilities more precisely, we find that the probability of success of C is at 
least 3/16. 

Finally, we analyze the running time of C. If c s is the time taken to simulate the protocol with 
the private key (Q*,s*), then each iteration of steps (3) and (4) takes time t + c s q, so those two 
steps take time 3(i + c s q)/e. Steps (1) and (5) take a constant amount of time, say Co, so the total 
running time is cq + 2>{t + c s q)/e. □ 

The assumption p > 17 in Theorem 16.41 is trivial, since in cryptographic applications p ~ 2 160 . 
However, the assumption that e is a (t', e') -one- way pairing with e' > 3/16 is a bit stronger than 
we would like. If we remove both of these conditions we get the following reduction: 

Corollary 6.5. Suppose e: Gi x Gi — > G2 is a (t' ,e')- one-way pairing. Then Protocol \6.S\ is a 
(t,q,e) -identification scheme, provided that 

f n 2l , t! 

e > max < 3v e , - > and t < cq — c s q, 

IP) 2 

for some constants cq, c s depending on Gi, G2, and the pairing e. 

The reduction is the same as in the proof of Theorem 16.41 except we don't iterate steps (3) and 
(4) of algorithm C. For full details, see Appendix iDl 

7. Other identification schemes 

While there have been several pairing-based identification schemes proposed in the literature, 
none of these have been given full proofs of security with polynomial-time reductions. The first 
such scheme, proposed by Kim and Kim jllj and based on the Gap Diffie-Hellman problem, was 
shown to be breakable in constant time by any adversary knowing only the public key. Yao, Wang, 
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and Wang proposed a modification of the scheme and proved it to be secure if the Gap Diffie- 
Hellman problem (cf. Remark 12 .5j) is hard. However, their reduction requires exponential time, and 
thus the proof is unsatisfactory. We will therefore not consider these two schemes when comparing 
the various pairing-based identification schemes. 

More recently, two pairing-based identification schemes have been proposed that appear to be 
more promising. Shao, Cao, and Lu 16 have proposed a scheme very similar to our Protocol 15.21 
based on the Boneh-Boyen signature scheme. The authors claim that the scheme's security depends 
on the intractability of the Strong Diffie-Hellman problem, but they do not give a proof, and we 
have not been able to come up with a reduction. The scheme is as follows: 

Protocol 7.1 (16 ). Let Gi, G2 be cyclic groups of prime order p, and let e : G% x Gi — > G2 be a 
cryptographic pairing. 

Key generation: Pick random g <— G\ and x <— Z*, and compute v <— g x G Gi and 

z <— e(g,g) G G2. The public key is (g,v,z), and Peggy's secret key is x. 
Interactive protocol: 

(1) Peggy chooses a random u; G Z* and sends Victor r = g w . 

(2) Victor sends Peggy a random r G Z*. 

(3) Peggy sends Victor a = g l K xr+w ) . 

(4) Victor computes e(cr, r • v T ). If the result is equal to z he outputs 1 (accept); else he 
outputs (reject). 

Conjecture 7.2. Suppose there exists an algorithm (A, B) that (t, q, e)-breaks Protocol 17. 11 Then 
there is an algorithm C that runs in time polynomial in t and q and succeeds in solving the Strong 
Diffie-Hellman problem with probability polynomial in e. 

The final pairing-based identification scheme we consider was proposed by Hufschmitt, Lefranc, 
and Sibert |1U| . The scheme is similar to our Protocol 16.21 

Protocol 7.3 (POl). Let Gi, G2 be cyclic groups of prime order p, and let e: Gi x Gi — > G2 be a 
cryptographic pairing. 

Key generation: Pick random P <— Gi and a, b <— Z* and compute R <— P a , S <— P b , Q <— 
P ab G Gi and z «- e(P, P), v «- e(P, P) ab = e(P, Q) G G 2 . The public key is (P, R, S, v, z), 
and Peggy's secret key is Q. 

Interactive protocol: 

(1) Peggy sends Victor a random r G Z* and sends Victor w = z r = e(P, P) r . 

(2) Victor sends Peggy a random c G Z* 

(3) Peggy sends Victor a = P r ■ Q c . 

(4) Victor computes e(P, a) and w • v c in G2. If the two are equal he outputs 1 (accept); 
else he outputs (reject). 

Hufschmitt, Lefranc, and Sibert describe a proof of security of their scheme against a "passive" 
attack involving only a cheating prover A. They assert that if such an attacker breaks Protocol ESI 
then this attacker can be used to solve the Gap Diffie-Hellman problem (cf. Remark 12.5(1 . which is 
(by definition) equivalent to solving the Computational Diffie-Hellman problem in Gi. 

One flaw in the design of Protocol 17.31 is that the scheme does not make use of the public 
parameters R = P a and S = P b , and it appears that they are only included to allow us to reduce 
breaking the protocol to breaking the Computational Diffie-Hellman problem in Gi. If we ignore 
these two parameters, then the passive attacker A can be used to invert the pairing e, and thus 
the relevant computational assumption is not CDH but the weaker assumption that e is a one-way 
pairing. 
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A more serious flaw is that while Protocol 17.31 appears to be secure against passive attacks, our 
definition of security (J2.1|) considers an "active" attack, which involves a cheating prover A as 
well as a cheating verifier B who tries to gain information by interacting with Peggy, the honest 
prover. The protocol's authors do not consider such an attack, and we have not yet found a 
security assumption under which the scheme is secure. We conjecture that since the scheme is of 
the same general format as the Schnorr and Guillou-Quisquater schemes (|15j. [§]), the assumption 
required for security of Protocol 17.31 will be similar to the assumptions required for the Schnorr 
and GQ schemes. The latter are the "one-more discrete logarithm" and "one-more RSA inversion" 
assumptions considered by Bellare and Palacio so we expect that an analgous "one-more" 
assumption will allow for a proof of security of Protocol 17.31 

8. Comparison of identification schemes 

We now compare the various identification schemes we have presented in terms of bandwidth 
and computation required for one iteration of each protocol. The results are summarized in Table 
1. 



ID 


Security 


Bandwidth 


Computation 


Scheme 


Assumption 


G 1 


G 2 




Gi exp 


G2 exp. 


Pairings 


W.il 


CDH in Gi (ROM) 


1 





1* 


IP 





2V 


ED 


one-more-CDH 


2 








IP 





2V 




SDH in Gi 


1 





2 


IP, 2V 





IV 


IO 


e is one-way 


1 


1 


2 


IP 


IP, 2V 


IP, IV 


rm 


SDH in Gi(?) 


2 





1 


2P, IV 





IV 


O 


??? 


1 


1 


1 


2P 


IP, IV 


IV 



Table 1. Comparison of proposed identification schemes. The Bandwidth column 
indicates the number of elements of Gi, G2, and Z p exchanged during one instance 
of the protocol. The Computation column indicates how many exponentiations in 
Gi, exponentiations in G2, and pairing computations the Prover and Verifier must 
execute during one instance of the protocol. We note that the security proof of 
Protocol 13. II is in the Random Oracle Model. The entry 1* represents an element of 
{0, l} n ; in practice 2 n will be around the size of p. 



Currently, the only pairings used in cryptographic applications are derived from the Weil and 
Tate pairings on elliptic curves over finite fields ¥ q . These pairings map from the elliptic curve 
group E(¥ g ) to some extension field ¥ q k] the parameter k is called the embedding degree of the 
curve E. For the pairing to be useful, it is necessary that the discrete logarithm problems in E{¥ q ) 
and ¥ q k are both hard. Given current discrete logarithm algorithms, q ~ 2 160 and k ~ 2 1024 appear 
to be reasonable choices for the parameters. 

We now assume that Gi = E(¥ q ), G2 = ¥ q k, and p q. An element P of E(¥ q ) can be 
represented by an element of ¥ q corresponding to the x-coordinate of P, plus one bit for the sign 
of the y-coordinate. Thus elements of Gi and Z p are of about the same size (log 2 p bits), while 
elements of G 2 will be k times as large. Therefore if minimizing bandwidth is a primary concern, 
one of Protocols 13.11 or 14.11 should be used. Protocols 16.21 and 17.31 require an element of G2 to be 
transmitted, so they should be avoided. 

If minimizing computational time is a primary concern, we will wish to minimize pairing com- 
putation and perform as few exponentiations as possible in the larger group. Thus Protocols 15.21 
and 17. II are ideal for this application. If we only care about minimizing the Prover 's computational 
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time, as in a smart card application, then one of Protocols 13.11 IP or 15.21 will be best. However, 
Protocol 13. ll mav be less preferable since the prover and verifier must each compute a hash function 
in addition to performing the group computations. 

Finally, if security is the foremost concern, then we should choose a scheme whose proof requires 
the weakest security assumption. Table 2 shows the implications between the various computational 
assumptions used to prove security of our protocols. We see that the weakest assumption is that 
the pairing is a one-way function. Protocol 16.21 is based on this assumption, so this scheme is the 
most secure. 

e: Gi x Gi -> G 2 
is a one-way pairing 
(Definition EJ) 



CDH in Gi 
(Definition Eg) 




SDH in Gi one-more-CDH in Gi 

(Definition EU) (Definition IP) 

Table 2. Implications between various computational assumptions. 



9. Conclusion 

We have presented four new identification schemes based on pairings, and proved their security 
given various computational assumptions. Each of our schemes is at least as efficient and/or secure 
as any scheme currently in the literature. Our main contribution is Protocol 16.21 a scheme which 
is secure if the pairing in question is a one-way function; this assumption is weaker than that made 
for any other pairing-based scheme currently in the literature. 

For another of our schemes, Protocol 14.11 we introduced an assumption called the "one-more- 
CDH" assumption, analogous to the "one-more-discrete-log" and "one-more-RSA-inversion" as- 
sumptions, and proved our scheme secure under this assumption. An important open question is 
what relation this assumption has to other computational assumptions in the literature. 
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Appendix A. Pairing-based signature schemes 

In this appendix, we describe the pairing-based signature schemes that are the basis for the 
identification schemes defined in Protocols 13. II and !5. 21 We give a definition of security for signature 
schemes and state the security theorems for the two protocols in question. 

We first describe the pairing-based short signature scheme devised by Boneh, Lynn, and Shacham 
U3, on which our Protocol 13.11 is based. We describe the scheme in terms of a pairing, but the 
scheme is in fact valid in any group in which the Decision Diffie-Hellman problem is easy and the 
Computational Diffie-Hellman problem is hard; such a group is called a Gap Diffie-Hellman group. 

Protocol A.l ([HI). Let Gi, G2 be cyclic groups of prime order p, and let e: Gi x Gi —* G2 be 
a cryptographic pairing. Let g be a generator of G1. Let H : {0, 1}* — » Gi be a full-domain hash 
function. 

Key generation: Pick random x <— Z p , and compute v <— g x . The public key is v, and the 

secret key is x. 

Signing: Given a secret key x S 7L p and a message M G {0, 1}*, compute h <— H(M) and 

a <— h x . The signature is a € G. 
Verification: Given a public key v G G, a message M S {0,1}*, and a signature a G G, 

compute e(g,a) and e(v,h). If the two are equal, output valid; if not, output invalid. 

Boneh, Lynn, and Shacham prove the security of their scheme using the following game between 
a challenger and an adversary A. 

Setup: The challenger runs algorithm KeyGen to optain a public key PK and a private key 

SK. The adversary A is given PK. 
Queries: Proceeding adaptively, A requests signatures with PK on at most qs messages of 
his choice, Mi, . . . ,M qs £ {0, 1}*. The challenger responds to each query with a signature 
tTj = Sign(SK, Mi). 

Output: Eventually, A outputs a pair (M, a) and wins the game if (1) M is not any of 
Mi,.. .,M qs , and (2) Verify(PK,M,a) = valid. 

The advantage of A, denoted Adv(_4), is the probability that A wins the above game, taken over 
the coin tosses of KeyGen and of A itself. We are now ready to define the security of a signature 
scheme. 

Definition A. 2 ( 6, Definition 3.1]). A forger A (t, qs, qH, e)-breaks a signature scheme if A runs in 
time at most t, makes at most qs signature queries and at most qn queries to a hash function, and 
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Adv(A) > e. A signature scheme is (t,qs,qH,e)-existentially unforgeable under adaptive chosen- 
message attack if no forger (t, qs, qH, e)-breaks it. 

The security of the BLS signature scheme is based on the Computational Diffie-Hellman assump- 
tion in the group Gi fDefintion 12. 2|) , 

Theorem A. 3 Theorem 3.2]). Suppose the (t' ,e')- Computational Diffie-Hellman assumption 
holds in Gi. Then the signature scheme defined in Protocol \A . 1\ is (t, qs, qH,c) -secure against 
existential forgery under an adaptive chosen-message attack (in the random oracle model) for allt 
and e satisfying 

e>e(qs + l)-e' and t < t' — c(qn + 2qs) , 
where c is a constant that depends on G\, and e is the base of the natural logarithm. 

The second signature scheme we describe was devised by Boneh and Boyen [3] ; our identification 
scheme T5. 21 is based on this scheme. 

Protocol A. 4 ([3]). Let Gi, G2 be cyclic groups of prime order p, and let e: Gi x Gi —* G2 be a 
cryptographic pairing. Let g be a generator of Gi . 

Key generation: Pick random x,y <— Z* and compute u <— g x , v <— g y , and z <— e{g,g). 

The public key is (u, v, z), and the secret key is (x, y). 
Signing: Given a secret key (x,y) E (Z*) 2 , and a message m E Z*, pick a random r E Z* 

and compute a <— g l /( x + m +y r ) g where l/(x + m + yr) is computed modulo p. In the 

(unlikely) event that x + m + yr = (mod p), try again with a different random r. The 

signature is (cr, r) . 

Verification: Given a public key (u,v,z) E Gf x G2, a message m E Z* and a signature 
(a, r) E Gi x Z* compute e(a,u ■ g m ■ v r ). If the result is equal to z output valid; if not, 
output invalid. 

The security of the Boneh-Boyen scheme is based on the Strong Diffie-Hellman assumption 
(Definition 15. If) . The relevant fact about the proof of security is that it gives a tight reduction 
without using the random oracle model. 

Theorem A. 5 (0 Theorem 3.1]). Suppose the (q,t f ,e')-SDH assumption holds in G\. Then the 
signature scheme defined by Protocol \A.J\ is (t, q s , e)-secure against existential forgery under adaptive 
chosen message attack, provided that 



Proof of Theorem 13.21 If Peggy and Victor follow the protocol, then Protocol 13.11 satisfies the 
viability condition of Definition 12.11 since 



by bilinearity of e. 

To show the security condition, it suffices to show that if the BLS signature scheme (Protocol 
IA.1|) is (t 1 , q, r, e')-secure against existential forgery under an adaptive chosen-message attack, then 
Protocol 13. II is a (t,q,r,e) identification scheme, provided that 



q s <q, e < 2(e' + q s /p) ss 2e' and t <t' - &{q 2 T), 
where T is the maximum time for an exponentiation in G\ . 



Appendix B. Security of Protocol 13. II 



e(g, a) = e{g, h x ) = e(g, h) x = e{g x , h) = e{v, h) 




and t < t' 



— c 
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for some constant c depending on the groups and pairing used. If we give a reduction from the 
identification scheme to the signature scheme with these bounds, then the security theorem for 
the BLS signature scheme ( Theorem IA.3|) implies that there is a reduction from the identification 
scheme to the CDH problem in Gj with the stated bounds. 

To construct the specified reduction, we now suppose that (A, B) is a pair of algorithms that 
(t, q, r, e)-breaks the scheme (in the sense of Definition 12. 1|) for a given public/private- key pair. 
Define an attacker C on the BLS scheme with the same public and private keys, as follows: 

(1) For each Mi that the cheating verifier B sends to the honest prover V, have C request a 
signature on Mi. Run B on the output. 

(2) Simulate the honest verifier V by choosing a random M and sending M as input to the 
cheating prover A. 

(3) Output the pair (M, r), where r G Gi is the element that the cheating prover A sends to 
V. 

If (A,V) outputs 1, then the output of algorithm C is a valid BLS message-signature pair. Thus 
if M is distinct from all of the queries Mi, then (M,t) is a valid forgery. Since the probability of 
(A, B) simulating the prover V is at least e and the probability that M is equal to one of the M, 
is q/2 n , the probability of forging a signature is at least (1 — q/2 n ) ■ e. We thus have broken the 
BLS scheme with an attacker that runs in time t + c for some constant c. The attacker makes q 
signature queries and h hash queries. □ 

Appendix C. Hardness of inverting a one-way pairing 

In Section El we stated that the assumption that e: Gi x Gi — > G2 is a one-way pairing is weaker 
than both the Computational Diffie-Hellman assumption in Gi and the Decision Diffie-Hellman 
assumption in G2. We now give precise statements and proofs of these facts. 

Proposition C.l. Let e: G\ x Gi — > G2 be a cryptographic pairing between groups of order p. 
Suppose the (t,e) Computational Diffie-Hellman assumption holds in G±. Then e is a (t — 0(1), e)- 
one-way pairing. 

Proof. Let A(g, x) be an algorithm that runs in time t and inverts the pairing with probability 
at least e. Given a triple (h,h a ,h b ) of elements in Gi, let y = e(h a ,h b ), and run A(h,y). Then A 
outputs h ab with probability at least e. □ 

Proposition C.2. Let e: Gi x Gi — > G2 be a cryptographic pairing between groups of order p. 
Suppose the (t,e)- Decision Diffie-Hellman assumption holds in G2. Then e is a (t/e — 0(1), \ft)- 
one-way pairing. 

Proof. Let A(g, x) be an algorithm that runs in time t and inverts the pairing with probability at 
least e. We are given a quadruple {y, y a ,y b , y c } of elements of G2 and asked to determine if c = ab 
(mod p). Define algorithm B as follows. 

(1) Choose a random g G Gi, and compute 

hx=A{g,y), h 2 = A(g,y a ), 
h 3 = A(g,y b ), h 4 = A(g,y c ). 

(2) Compute e(h±, /14) and e(/i2, /13). If the two are equal output 1; else output 0. 

Suppose all four outputs of algorithm A are correct. Then h 2 = hf, /13 = h b , and /14 = h\. We 
therefore have e(hi,hi) = e(hi,hi) c and e(h2,h 3 ) = e(h±, h\) ab . The two are equal if and only 
if c = ab (mod p) . Thus if all four outputs are correct B gives a correct output to the Decision 
Diffie-Hellman problem. The probability that all four outputs are correct is at least e 4 , which gives 
the stated security bound. Furthermore, B runs in time 4t + O(l). □ 

15 



Remark C.3. We can increase the probability of success of B by iterating the algorithm. Per- 
forming each computation of hi e~ 4 times increases the probability of success to a constant; fewer 
repetitions lead to different time/success ratios. 

Appendix D. Security of Protocol 16.21 

In this appendix, we show that Protocol 16.21 is secure if we assume that e is a one-way pairing. 
The proof adapts Okamoto's arguments for proving security of his two identification schemes |14j . 
We begin the detailed proof by defining a "heavy row" and proving some useful lemmas. 

Definition D.l. Let (A,B) be an algorithm attacking Protocol 16.21 Let Rab denote the random 
coins consumed by (A,B). Let M be a matrix summarizing all of the possible outcomes of the 
cheating prover A interacting with an honest verifier V, as follows: the rows of M are indexed 
by the possible choices of Rab, the columns of M are indexed by all the possible choices e of the 
verifier V in step (2), and the entries are 1 if V accepts «4's proof, and otherwise. 

Suppose the probability of success of (A,B) (i.e. the fraction of l's in M) is e. A row of M is a 
heavy row if its fraction of l's is at least e/2. 

Lemma D.2. Suppose the success probability of {A,B) in attacking Protocol \6.%A is at least 2/p. 
Then at least half of the l's in M are located in heavy rows. 

Proof. Assume the contrary, i.e. at least half the l's in M are located in non-heavy rows. Then 
the fraction of l's in all of the non- heavy rows combined is at least 1/p. On the other hand, in each 
non-heavy row the fraction of l's is by definition less than 1/p, a contradiction. □ 

Lemma D.3. Let (A,B) be an algorithm attacking Protocol \6.<H that runs in time t and has success 
probability e > 2/p. Then there is a algorithm that runs in expected time 0(t/e) and, with probability 
at least |(1 — i) 2 outputs the history of two accepted interactions (x,m,T,a) and (x,m' ,T' ,a') of 
the cheating prover A with an honest verifier V , where m ^ m' . 

Proof. We adopt the following two-step "probing strategy" (cf. |13| . |14j ) to find two l's in the 
same row of M. 

Step 1: Probe random entries in M to find an entry ao that is a 1. Denote the row in which 

ao is located by Mq. 
Step 2: Probe random entries along Mq to find another entry a± with 1. 

Let p\ be the success probability of Step 1 after probing 1/e random entries of M. Since the fraction 
of l's in M is e, we have 

Pi > 1- (l-eW e > 1- -. 

e 

Let p2 be the success probability of Step 2 after probing 2/e random entries of Mq. If Mq is a heavy 
row, then the fraction of l's in Mq is at least e/2, and thus the probability of success is at least 

/ e\2/e 1 
l-fl--) >1 



2/ e 

By Lemma lD.21 the probability that Mq is a heavy row is at least 1/2, and thus p2 > i(l — -). 
Therefore the overall success probability of our strategy is at least ^(1 — ^) 2 , and the total running 
time is approximately 3t/e. 

If the strategy finds two entries ao, a% in the same row of M, we output the transcripts (x, e, T, a) 
and (x, e',T', a 1 ) of the interaction between A and V when given the random coins corresponding 
to ao and a\ respectively. Since the entries are in the same row, the random coins of (A, B) are the 
same for the two interactions, and thus the first output x is the same for the two interactions. Since 
the entries are in different columns, the random coins of V are different for the two interactions, 
and thus m' . □ 
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With this setup, we may now prove the security of our identification scheme. 

Proof of Theorem 16.41 In Remark l6.3l we demonstrated the viability condition of Definition l2.il 

so we need only show the security condition. Suppose (A, B) is an algorithm that runs in time t 
and attacks Protocol 16 . 21 with success probability e > 2/ p. Define an algorithm C that attempts to 
invert the pairing, as follows: 

(1) Given input P G Gi and y G G%, choose random Q* G Gi and s* G Z p , and compute 
v = e(P,Q*)- 1 y- s . 

(2) Simulate Protocol 16.21 with (P,y,v) as the public key and (Q*,s*) as the private key. 

(3) Run (A,B) on the simulated protocol 1/e times. If the attack succeeds, record Rab (the 
random coins of (A,B)) and the transcript (x,m,T,a). 

(4) Run (A,B) on the simulated protocol 2/e times, using R^b as the random coins. If the 
attack succeeds, record the transcript (x, m', T', a'). 

(5) Let Q = (T/r') 1/(m-m,) G Gi and s = (a - a')/(m - m') G Z p . Output 

Z = (Q/Q*) 1/{s *- s) . 

We now analyze the algorithm C. By Lemma lD.31 the probability that steps (3) and (4) both 
succeed and output valid transcripts with m / m' is at least \{l - \) 2 . We now claim that if 
steps (3) and (4) both succeed, then (Q,s) ^ (Q*,s*) with probability almost 1. To prove this, 
we show that if (Q,s) and (Q*,s*) are both valid private keys for the public key (P,y,v), then 
even an infinitely powerful cheater B cannot distinguish the two solely from his interaction with 
an honest prover V. The condition (Q, s) and (Q*, s*) both being valid private keys for the public 
key (P, y, v) implies that 

(D.l) e(P,Q)-y s = e(P,Q*)-y s \ 



Let R* = R + (Q - Q*) m G Gi and r* = r + m(s - 

e(P, R)-y r = x = 
R + Q m = T = 
r + ms = a = 



s*) G 7L V . Then the following relations hold: 

e(P,R*)-y r * 
R* + Q* m 
r* + ms* 



Furthermore, for given (Q,Q* , s, s* ,m), the distribution of (R,r) is identical to that of (R*,r*). 
Since the cheating verifier B receives only (x, T, a) from the honest prover V, we see that there 
is no way for B to determine which private key was used. Since there are p possible pairs (Q, s) 
satisfying e(P, Q)~ 1 y~ s = v, the probability that (Q, s) ^ (Q*, s*) is (p — l)/p, or nearly 1. 

We now show that if steps (3) and (4) succeed and (Q,s) ^ (Q*,s*), then step (5) outputs a 
Z such that e(P, Z) = y. We first note that if (Q, s) ^ (Q* , s*), then equation (|D.1|) implies that 
Q Q* and s / s*, so Z is well-defined. Since x is the same in both transcripts, we have 

e(P, T) ■ y a ■ v m = e(P, T') ■ y a ' ■ v m ' . 

By the bilinearity of the pairing, this implies that 

e{P,T/T')-y a - a ' = v m '~ m , 

so by definition of Q and s we have 

e(P, Q m ~ m> ) ■ y s ( m - m ') = v m '~ m 

Raising the whole equation to the power l/(m — m') and applying the definition v = e(P, Q*) l -y s 
gives 

e(P,Q)-y s = e(P,Q*)y s \ 



Again using the bilinearity of the pairing, this gives us 

e(P,Q/Q*) = y s *- s , 
and raising both sides to the power l/(s* — s) gives 

e(P,Z)=y, 

as desired. 

Finally, we analyze the running time and success probability of C. If c s is the time taken to 
simulate the protocol with the private key (Q*,s*), then each iteration of steps (3) and (4) takes 
time t + c s q, so those two steps take time 3(t + c s q)/e. Steps (1) and (5) take a constant amount of 
time, say Cq, so the total running time is cq + 3(i + c s q)/e. By Lemma TP .31 and our computations 
above, if steps (3) and (4) succeed and (Q,s) ^ (Q*,s*), then step (5) outputs a valid Z. The 
probability of the former is at least ^(1 — while the probability of the latter is (p — l)/p. If 
p > 17 then the simultaneous probability of the two events is at least 3/16. Thus our reduction 
gives the stated bounds. □ 

Finally, we give the detailed proof of Corollary 16 .51 a security theorem for Protocol 16 .21 that does 
not require any assumptions on the security parameter e' for the one-way pairing or the size of p, 
the order of Gi and G2. 

Proof of Corollary 16.51 The reduction is the same as in the proof of Theorem 16.41 except we 
don't iterate steps (3) and (4) of algorithm C. Then the success probability of step (3) is e. By 
Lemma ID .21 the entry of the summary matrix M corresponding to the output of step (3) is in a 
heavy row with probability at least 1/2, and if this is the case then the success probability of step 
(4) is at least e/2. The success probability of step (5) is still (p — l)/p, which is at least 1/2 since 
p > 2. Thus the total success probability ir of the algorithm satisfies 

1 e 1 e 2 

7T> e . _._._>_. 

~ 2 2 2 9 

The algorithm takes time 2{t + c s q) + 2co, where c s is the time taken to simulate the protocol and 
2co is the time taken to perform the computations in steps (1) and (5). Thus our reduction gives 
the stated bounds. □ 
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